Re: Automatically moving marked mails?
Ian Eiloart wrote, at 07/09/2009 05:39 AM: Except that the sieve server ought to be on the border MTA, so that the user can tell the server to reject the message at SMTP time. That's not feasible for mail with multiple recipients. Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Automatically moving marked mails?
Ian Eiloart wrote, at 07/09/2009 10:46 AM: --On 9 July 2009 09:54:31 -0400 Adam Tauno Williams a...@morrison-ind.com wrote: Ian Eiloart wrote, at 07/09/2009 05:39 AM: Except that the sieve server ought to be on the border MTA, so that the user can tell the server to reject the message at SMTP time. That's not feasible for mail with multiple recipients. It is if your rule is to reject all email from a specific sender. No, because the MTA either accepts or rejects a message [in connection]. Not true. The MTA can decide *per recipient* whether to accept mail from a specific sender. How? It's true that the MTA hasn't seen the message content at this point, but it does have enough information to determine - for example - whether the sender is a member of a mailing list, or is on a recipient's blacklist or whitelist. We do a lot of that. Please elaborate. What kind of feedback does the sender get when you reject a message during the SMTP transaction for one recipient, but deliver it for others? Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Automatically moving marked mails?
Greg A. Woods wrote, at 07/06/2009 05:42 PM: Personally I'd suggest Mac OSX and Apple Mail as a first cut for anyone who wants an easy-to-manage and easy-to-use, and half-decent MUA. It doesn't do everything I want to do as a hyper-experienced e-mail user, nor is it apparently easy to write proper extensions for, but it certainly does cover all the main requirements the average user has. I disagree. Apple Mail has some fundamental usability issues that need to be addressed. Every time I try it out, I can't get past the fact that there's no easy way to step through all unread messages in a mailbox. How do people quickly read new mail with Apple Mail? Equally I'm sure Thunderbird works well for many people too. This is currently my preferred client, although it has its own flaws. However, it has some of the best thread handling and allows me to move to the next unread message with a single keypress: 'n'. The message filters are also pretty nice, if you don't have access to server-side filtering. Finally, its support for multiple accounts seems to be superior to any other client I've tested. After all these years I still fail to see what e-mail and calendar keeping have to do with each other. It's lunacy to put them in the same tool. Use the right tool for the job. Agreed. It's bizarre that this is exactly what gets people addicted to Exchange, when separate protocols offer more flexibility and opportunities for improved integration. I find Outlook/Exchange calendaring to be incredibly underfeatured, yet it's wrapped up in a tidy package with email, so people feel like they're killing two birds with one stone. Yes, doing scheduling and calendar maintenance requires communicating between multiple parties, but e-mail is _not_ the right tool for this kind of communications! Well, it can be, but so can IRC, IM, SMS, etc. Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Automatically moving marked mails?
jul...@precisium.com wrote, at 07/01/2009 05:26 PM: Personally I agree it would be nice if Cyrus would do something to compensate for the deletion issue - but I can understand if there is a reluctance on the part of the developers to do this. This issue involves the IMAP protocol and is not specific to Cyrus. The only meaningfully defined special mailbox is INBOX. It would be disastrous for Cyrus to change deletion behaviour by moving deleted mail to some arbitrarily named mailbox. What name should it use? One that pleases users of Outlook? Thunderbird? Some random webmail application? Until the IMAP protocol is updated or replaced, delete expunge is a fact of life. It's true that the concept of delete/expunge is difficult for many new users to grasp. In my experience, the worst consequence is when users who delete but never expunge exceed quota and don't know why because deleted messages are hidden from view. A visual indicator (such as a strike-through, symbol, special color) is far more preferable, as it at least makes the problem evident. I agree that the whole process borders on the ridiculous, but that's a problem with IMAP, not Cyrus (and most users would probably clamour for similar functionality if the behaviour was removed). In any case, users expect to control this in the MUA, so it's probably best to keep it out of the server. Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Cyrus IMAP SASL authentication failure
Vladimir Vassiliev wrote, at 06/17/2009 09:02 AM: Here is an extract from my imapd.conf file: admins: cyrus imap_admins: cyrus sasl_mech_list: LOGIN sasl_minimum_layer: 1 sasl_maximum_layer: 256 sasl_pwcheck_method: saslauthd Maybe it's because of sasl_minimum_layer: 1 LOGIN gives you no security layer. Indeed. Try: cyradm --user cyrus --auth login localhost -tls Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: searching for a 25 seconds delay
Iv Ray wrote, at 05/14/2009 05:09 AM: On 14.05.2009, at 08:01, Rudy Gevaert wrote: It is maybe your sasl not having enough entropy, as probably squirelmail logs in for each request. Recompile sasl to use /dev/urandom in stead of /dev/random Hi, No change. What else can it be? Show us how you are invoking imtest on the command line, then show us everything up to and including the line containing the word AUTHENTICATE (before you actually enter your password). This will reveal the mechanisms offered by the server, and the one imtest is using without encountering a delay. Consider creating a test user for this, so you don't accidentally post any sensitive information. Once you have that information, you can compare it to the imapd log, which will list the mechanism Squirrelmail is using. Speaking of logs, have you inspected them for relevant errors? Either way, a sample would be helpful. Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Calling all regressions
Bron Gondwana wrote, at 03/12/2009 07:42 AM: On Thu, Mar 12, 2009 at 02:55:03AM -0700, Carson Gaspar wrote: Bron Gondwana wrote: AAA+++ to cyr_conf! I'll write it up :) I think we want it to have the following spec: * cyr_conf - output all configuration variables and their current value * cyr_conf -C $file - as above with the following config file * cyr_conf -n $name - all configuration variables for process $name (eg cyr_conf -n imapd = show imapd overrides where given) * cyr_conf -q - only show variables that are different than default - those three can be mixed and matched * cyr_conf -D - show all the DEFAULT variables. Obviously, ignores all other options! Please include one of the most useful options that postconf has (postconf -n) - emit only those config key/value pairs that are not set to their default values. More often useful in real life than just emitting all config key/value pairs. Yeah, I called that -q. If we make it -n then we'll have to make the named process config a different character. The spec isn't nailed down yet, I haven't even written anything! Actually, postconf -n shows parameters that have been explicitly set, even if they are the same as the default. This is a subtle (and IMHO very useful) distinction. Although many simply grep the output of postconf because they can't remember the exact name of a parameter, another very useful feature of postconf is the ability to directly query the value of one or more parameters using postconf [parameter...]: postconf mynetworks or: postconf mynetworks inet_interfaces I realize that a variety of MTAs are used in conjunction with Cyrus IMAPd, but Postfix is an extremely well thought-out application. As a Postfix administrator, I'd be thrilled to see a utility like cyr_conf modeled as closely after postconf as possible, if only to simplify any new tricks this old dog has to learn. Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: virtdomains and defaultdomain issue
Edwin Boersma wrote, at 02/23/2009 07:43 AM: Hi, Just to make it clear: the problem only occurs with the default domain, not with other virtual domains. All user are in the SQL database, and cyrus does a correct translation to the mailbox for all the others. The only problem is that the default domain is replaced with the local computer name. [snip] In my opinion (can you give me yours, Andrew?), cyrus should not rewrite the default domain when using %r, but internally redirect to the local mailbox (so after login). Or provide a mechanism where the local mailbox is transformed into a virtual domain box. 2009/2/18 Edwin Boersma edwin.boer...@secureoffice.net: Hi, To be able to have user names like user@our.domain and sameuser@another.domain, I have changed our IMAP config to use virtual domains. To be able to access the existing mailboxes, I added the defaultdomain option to imapd.conf. You will probably also want to set servername to prevent cyrus from using gethostname: Here's the imapd.conf: defaultdomain: secureoffice.net servername: secureoffice.net Is there a problem you are trying to solve with u...@domain logins? In most cases, this is done to support similar logins across multiple domains (supp...@example.com, supp...@example.net, etc.). However, I find that this confuses clients, who will try to use alias addresses as logins, and prefer to assign unique logins across all domains (foosupport, barsupport, etc.). This way, I don't need to enable virtdomains in Cyrus IMAPd, and just put everyone in the same realm (a single arbitrary domain, it doesn't even need to exist in DNS or accept email). Then I set defaultdomain and servername to that realm in imapd.conf along with smtpd_sasl_local_domain in the Postfix main.cf. As a result, all lookups are done against this single realm and users can authenticate with a bare login without appending the realm. This approach still supports multiple email domains, but simplifies configuration and may even improve portability (but I'm using sasldb, not SQL, so there may be other issues I'm not considering). The only caveat is that all logins must be unique; two users of different accounts can't each login as support. On the other hand, this arrangement has come in handy when we've had to replace heavily spammed public addresses like i...@example.com with informat...@example.com, because it isn't necessary to change login credentials in the client. I only mention this as an alternative, in case you really don't need to support full u...@domain logins. Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Problem with sieve login since update to 2.3.13
Martin Schweizer wrote, at 02/14/2009 11:30 AM: Since the update to .13 I can no longer login to sieve as a regular user (also not by sieveshell). Only root can login by sieveshell. If I want to login as a regular user by sieveshell the password prompt cames up and I can type in the password, that is all. No login, nothing. Add this line to imap.conf: sieve_sasl_send_unsolicited_capability: 1 Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Problem with sieve login since update to 2.3.13
Jorey Bump wrote, at 02/14/2009 12:13 PM: Martin Schweizer wrote, at 02/14/2009 11:30 AM: Since the update to .13 I can no longer login to sieve as a regular user (also not by sieveshell). Only root can login by sieveshell. If I want to login as a regular user by sieveshell the password prompt cames up and I can type in the password, that is all. No login, nothing. Add this line to imap.conf: sieve_sasl_send_unsolicited_capability: 1 Sorry, obviously that should be imapd.conf. :P Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Security risk of POP3 IMAP protocols
Alain Williams wrote, at 02/13/2009 10:30 AM: [23~On Fri, Feb 13, 2009 at 03:21:06PM +, Ian Eiloart wrote: --On 13 February 2009 14:35:43 + Alain Williams a...@phcomp.co.uk wrote: That got me thinking I rate limit ssh connections to try to prevent dictionary attacks (3 attempts/3 minutes/IP address). If I were to do the same with IMAP would that cause problems with some clients, ie are there some clients that to many connect/disconnects ? Yes. Anything that opens a bunch of mailboxes at the same time might be doing way more than that. You should be measuring failed attempts, not attempts. Yes, but I do the rate limiting with iptables (Linux firewall). I don't know how to feedback failed attempts to iptables. I have yet to encounter an automated brute force attack that negotiates STARTTLS, SSL or any of the more secure SASL mechanisms. In time, this will probably change, but you will get more bang for your buck now if you enforce encrypted connections. You can still run an unencrypted port on localhost (or restrict access another way) if you need it for webmail. Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Expire (manually) TLS sessions?
Jeff Blaine wrote, at 01/21/2009 01:36 PM: bash-2.05# su cyrus -c /imapsrv/mail/cyrus/bin/imtest -t /var/imap/server.pem imapsrv My understanding is that you only specify a keyfile if you're testing client certificate authentication. For a normal test of TLS encryption, it should be empty (but quoted): imtest -u bob -a bob -t mail.example.com You'll still see this: S: * OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID STARTTLS AUTH=PLAIN SASL-IR] imapsrv.our.com Cyrus IMAP v2.3.13 server ready C: S01 STARTTLS S: S01 OK Begin TLS negotiation now verify error:num=20:unable to get local issuer certificate verify error:num=27:certificate not trusted verify error:num=21:unable to verify the first certificate But you shouldn't see this: SSL_connect error 0 SSL session removed failure: TLS negotiation failed! If it works, you'll see this instead: TLS connection established: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits) C: C01 CAPABILITY ... BTW, you probably shouldn't be advertising AUTH=PLAIN pre-STARTTLS. Try something like this in imapd.conf, adjusted for the mechanisms you support: # authentication sasl_pwcheck_method: auxprop sasl_mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5 allowplaintext: no # use this to enforce TLS with plaintext mechanisms sasl_minimum_layer: 128 Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: choosing a file system
Andrew McNamara wrote, at 01/19/2009 01:29 AM: Yeah, except Postfix encodes the inode of the queue files in its queue IDs, so it gets very confused if you do this. Same with restoring queues from backups. You should be able to get away with this if, when moving the queue to another machine, you move the queued mail from hold, incoming, active and deferred directories into the maildrop directory on the target instance. This (somewhat old, but still correct, I think) message from Wietse might shed more light on it: Date: Thu, 12 Sep 2002 20:33:08 -0400 (EDT) From: wie...@porcupine.org (Wietse Venema) Subject: Re: postfix migration I want to migrate postfix to another machine. What are also the steps so that I won't lose mails on the process? This is the safe procedure. 1) On the old machine, stop Postfix. 2) On the old machine, run as super-user: postsuper -r ALL This moves all queue files to the maildrop queue. 3) On the old machine, back up /var/spool/postfix/maildrop 4) On the new machine, make sure Postfix works. 5) On the new machine, stop Postfix. 6) On the new machine, restore /var/spool/postfix/maildrop 7) On the new machine, start Postfix. There are ways to skip the postsuper -r ALL step, and copy the incoming + active + deferred + bounce + defer + flush + hold directories to the new machine, but that would be safe only with an empty queue on the new machine. This has become somewhat off-topic for this list, but you might be able to simply sync the entire Postfix queue to the backup machine, and run postsuper -s before starting Postfix on the backup. From the postsuper man page: -s Structure check and structure repair. This should be done once before Postfix startup. Rename files whose name does not match the message file inode number. This operation is necessary after restoring a mail queue from a different machine, or from backup media. The important thing to keep in mind is that Postfix embeds the inode number in the filename simply to keep the name unique while the message resides on the filesystem. Obviously, this approach breaks when the files are copied to another filesystem. Renaming them appropriately on the new destination ensures no files will be overwritten as the queue is processed or new messages enter the queue. Of course, the scheme I proposed earlier requires that once the backup Postfix is brought up, it must be impossible for the primary to begin resyncing files to the same location on the backup if it becomes active again (or refuses to die a graceful death). Certainly tricky, but it sounds like the use case is to preserve the queue in case of a total failure, just to make sure the mail goes out (even it means it goes out twice). Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Expire (manually) TLS sessions?
Jeff Blaine wrote, at 01/16/2009 10:12 AM: With the tls_ca_file line removed, Thunderbird asked me to specify a client certificate, I chose my cert and entered my password to access it. That sounds backwards. My understanding is that setting tls_ca_file is what will cause some clients to prompt for a client certificate, and that commenting out the setting avoids this problem if you don't use client certs. Jan 16 10:08:33 imapsrv imap[15668]: [ID 921384 local6.debug] accepted connection Jan 16 10:08:33 imapsrv imap[15668]: [ID 636471 local6.notice] TLS server engine: cannot load CA data That's fine. It's a spurious log message as a result of removing tls_ca_file. Jan 16 10:08:33 imapsrv imap[15668]: [ID 286863 local6.notice] imapd:Loading hard-coded DH parameters This is also normal, nothing to worry about. Jan 16 10:08:33 imapsrv imap[15668]: [ID 277171 local6.error] TLS server engine: No CA file specified. Client side certs may not work More harmless noise from the removal of tls_ca_file. Jan 16 10:08:33 imapsrv imap[15668]: [ID 574029 local6.debug] SSL_accept() incomplete - wait Jan 16 10:08:43 imapsrv imap[15668]: [ID 160154 local6.debug] Doing a peer verify Jan 16 10:08:43 imapsrv imap[15668]: [ID 227675 local6.error] verify error:num=20:unable to get local issuer certificate Jan 16 10:08:43 imapsrv imap[15668]: [ID 192010 local6.debug] no certificate returned in SSL_accept() - fail Jan 16 10:08:43 imapsrv imap[15668]: [ID 239158 local6.notice] STARTTLS negotiation failed: bva-172.our.com This is probably related to your client certificate, now that you don't have a CA store for verification. I don't know why Thunderbird prompted you for a certificate, though. You might want to test from another Thunderbird with no client certs installed. In any case, this might be easier to troubleshoot if you post your imapd.conf (and maybe even cyrus.conf). I found it was a little tricky going upgrading within 2.3.x due to some TLS changes, but I still managed to maintain a very simple configuration. Yours just might need a couple of tweaks. Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: AW: different Cert for POP/IMAP
mno wrote, at 01/12/2009 12:34 PM: 2) the right name for the option is pop3s_tls_cert_file and pop3s_tls_key_file, [snip] Though I' not a programmer, I had a look at the source itself and did not find any hint for the Use of pop3_tls_cert_file and pop3_tls_key_file. These params are useless - can anybody confirm this? Note that the pop3_tls_(cert|key)_file params are not useless. If you support STARTTLS on the standard pop3 port 143 (you should), you will want to set these as well, if you want the same certificate to be presented as on pop3s port 995. Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: choosing a file system
Bron Gondwana wrote, at 01/10/2009 04:56 AM: So - no filesystem is sacred. Except for bloody out1 with its 1000+ queued postfix emails and no replication. It's been annoying me for over a year now, because EVERYTHING ELSE is replicated. We've got some new hardware in place, so I'm investigating drbd as an option here. Not convined. It still puts us at the mercy of a filesystem crash. I'd prefer a higher level replication solution, but I don't know any product that replicates outbound mail queues nicely between multiple machines in a way that guarantees that every mail will be delivered at least once, and if there's a machine failure the only possible failure mode is that the second machine isn't aware that the message hasn't been delivered yet, so delivers it again. That's what I want. You could regularly rsync or rdiff-backup your Postfix queue directory to another machine where Postfix lies dormant, but with a similar configuration. In the event of a machine failure, you can start up Postfix on the backup, which may even be able to function as a complete replacement (submission, MX, delivery over LMTP). There is still opportunity for minor race conditions and automating failover needs to be worked out, but it's better than nothing. Jorey ( big fan of Bron's occasional parenthetical sig comments! ) Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
No Command Prompt after Login w/Sieveshell (Cyrus IMAPd 2.3.13)
This is the first time I've used sieveshell since upgrading to Cyrus IMAPd 2.3.13. It will prompt me for my password, but once I log in, it simply hangs without any feedback or providing a '' command prompt. According to the log, login was successful: sieve[29093]: login: localhost[127.0.0.1] jorey DIGEST-MD5 User logged in There are no other related entries that follow, other than the disconnection message when I hit Ctrl-C to abort. I've used previous versions of sieveshell successfully, but I'm getting the same behaviour on two different installations of Cyrus IMAPd 2.3.13. I really need to get this vacation message installed today. Is there a known fix? If not, is there a way to install the script manually, bypassing sieveshell? Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: No Command Prompt after Login w/Sieveshell (Cyrus IMAPd 2.3.13)
OBATA Akio wrote, at 12/24/2008 09:19 AM: Hi, On Wed, 24 Dec 2008 23:09:27 +0900, Jorey Bump l...@joreybump.com wrote: This is the first time I've used sieveshell since upgrading to Cyrus IMAPd 2.3.13. It will prompt me for my password, but once I log in, it simply hangs without any feedback or providing a '' command prompt. According to the log, login was successful: sieve[29093]: login: localhost[127.0.0.1] jorey DIGEST-MD5 User logged in There are no other related entries that follow, other than the disconnection message when I hit Ctrl-C to abort. I've used previous versions of sieveshell successfully, but I'm getting the same behaviour on two different installations of Cyrus IMAPd 2.3.13. I really need to get this vacation message installed today. Is there a known fix? If not, is there a way to install the script manually, bypassing sieveshell? I've put a following line in imapd.conf to away from the situation: sieve_sasl_send_unsolicited_capability: 1 Thank you, it worked! Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Thunderbird with cyrus-imapd: Why chose client certificate?
Frank Richter wrote, at 11/14/2008 03:20 AM: Thanks, but ... I did this - not defining a tls_ca_file, and adding my CA chain to tls_cert_file. I'm getting the same behavior - Thunderbird is asking for a client cert. And the log entry: TLS server engine: No CA file specified. Client side certs may not work Just a thought: Do you have Use secure authentication checked in Thunderbird's server settings for that account? It's always annoyed me that you can't explicitly set which secure mechanism to use (CRAM-MD5, DIGEST-MD5, GSSAPI, etc.). I wouldn't be surprised if it's trumping the other mechanisms because you have a client certificate installed. Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Thunderbird with cyrus-imapd: Why chose client certificate?
Frank Richter wrote, at 11/05/2008 10:58 AM: Hi, I've a cyrus-imapd 2.3.12 installation with these options in imapd.conf tls_cert_file: /etc/exim/etc/server.crt tls_key_file: /etc/exim/etc/server.key tls_ca_file: /etc/pki/tls/certs/ca-chain.crt tls_require_cert: 0 SSL and STARTTLS are working fine. I've imported a personal S/MIME certificate to thunderbird. When connecting to the IMAP server (using STARTTLS), thunderbird asks me to select a client cert, showing (translated from German): This website (!) requires a certificate for identification ... Chose a certificate ... The server doesn't and shouldn't accept client certificates. So who is wrong? My configuration, thunderbird ... I hope somebody will enlighten me ... Try appending the CA's root certificate for your personal S/MIME certificate to the file specified in tls_ca_file. FWIW, I use the bundle provided by curl (/usr/share/curl/curl-ca-bundle.crt on my system), because it's in the correct format. You might have to append additional certificates, depending on your needs. This seems to be related to Cyrus' behaviour whenever tls_ca_file is defined. The best solution seems to be to use a general purpose bundle, though I haven't tested it with client certificates. Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Thunderbird with cyrus-imapd: Why chose client certificate?
Goetz Babin-Ebell wrote, at 11/13/2008 03:57 PM: If you don't want to do client authentication, why do you set tls_ca_file at all ? Hmm, I do it to suppress these errors: TLS server engine: cannot load CA data Setting tls_ca_file to a properly formatted bundle suppresses the error, but now i'm wondering if that's a good idea. Will this expose my server in any way? I don't see how, but the documentation (and error) is very sparse: tls_ca_file: none File containing one or more Certificate Authority (CA) certificates. There's no mention of client certificate authentication. Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Unpredictable results from imapsync runs
Ciprian Marius Vizitiu (GBIF) wrote, at 11/03/2008 01:04 PM: I'm trying to migrate a small 120GB IMAP store from a 32 bit Cyrus 2.2.12 on RHEL4 to a 64 bit Cyrus 2.3.7 running on RHEL5. Multiple test runs of imapsync on a 4.2 GB folder will result in annoying errors e.g. one of the destinations will show some extra 5 unread messages (in one folder) and/or 2 messages missing in another =:-o ... No easy way to predict which folder will be affected and I'm sure nobody's been messin' with the affected test folders. A scan of the logs left me empty handed so any hints would be appreciated. o:-) It's been a few years since I used imapsync, but I remember struggling to get the command line options just right. What command are you using? Ultimately, I scripted it, and here's an excerpt from an early test: #!/bin/sh # assuming user/password matches on both hosts USER=bob SECRET=secretpass HOST1=old.example.net HOST2=new.example.net echo Pass 1 (transfer INBOX, only): imapsync \ --host1 $HOST1 --user1 $USER --password1 $SECRET --ssl1 --folder INBOX --expunge --expunge1\ --host2 $HOST2 --user2 $USER --password2 $SECRET --ssl2 --delete2 --expunge2 Eventually, this involved into a much more complicated script that enabled me to migrate my entire UW-IMAP store, so a lot of it will be irrelevant here. The trick was getting the expunge delete options right, in order to get the most rsync-like behaviour. Nonetheless, I had a bit of manual cleanup afterwards. You'll want to finetune this on a dummy account, and make use of the --dry option to get an idea of what will happen. As always, YMMV, so make backups and test on copies. Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: IMAP account used for multiple users
Jason Voorhees wrote, at 10/13/2008 01:58 PM: A simple question: Is there any kind of problem if a unique IMAP account is used by more than one client at the same time? It can be done... I'm thinking to give access to all my users (up to 90 users) trough MS Outlook to a unique IMAP account. ...but not with Outlook. I should be fair, and state that any special features of any client can cause problems, along with the issues that simply come from everyone playing in the same sandbox. For example, all it takes is one user to set aggressive (or use poorly trained) junk filtering to wreak a bit of havoc for everyone. Nonetheless, Cyrus does allow concurrent read/write access, which is handy for users that access webmail while leaving desktop clients running. The extra burden with Outlook comes from its monolothic approach that allows email to trigger a variety of events. When I evaluated sharing an account with Outlook 2007, it didn't seem wise due to the ease with which another user can affect your todo list, calendar, and god knows what else. Outlook is really a personal organizer, and should be kept personal, IMHO. I don't plan to use suscribed folders instead for simplicity reasons. A broadcast alias or mailing list is often better. Or go with a full-blown issue tracker, if that's what you're really trying to do. Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: suggestion need to design an email system.
David Lang wrote, at 09/18/2008 12:12 AM: doign a quick google check on maildir it also appears that maildir is not as standard as people think it is, it's defined almost entirely by the implementation (DJB started it, but never worked to turn it into a standard for others to use) This was definitely a strike against the Maildir-based systems I evaluated along with Cyrus a few years ago. None of them appeared to be true drop-in replacements for each other, and the subtle differences weren't transparent to the end user. In the end, performance and ease of configuration for the end user are what tipped the scales in favor of Cyrus (Dovecot was in beta at the time and still had some serious bugs). Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Which 2.3.x version to match 2.2.12 in stability? :-)
Ciprian Marius Vizitiu wrote, at 09/16/2008 08:17 AM: As much as I hate it time has come to upgrade my very well behaved Cyrus imapd so I was wondering: given the rock solid stability I have experienced with 2.2.12 is there any 2.3.x Cyrus with some close record of stability? What is your experience? I don't care about replication, I only run one server for 40 mailboxes, true some of my users have like 25.000 emails in one folder but no fancy features required just plain IMAP. :-) What would be your advice? Ok, other than stay with 2.2.12!? I don't think there's much choice other than the latest testing release, 2.3.12p2. It has the most features to date and addresses some significant bugs. I have sites that match your profile, and I've been pleased with it, so far. I've been following the the 2.3.x series for a while, now, and wouldn't go back to any previous version. Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Pruning Duplicates
I've discovered that a user's folder suddenly contains a couple of thousand duplicate messages. Each pair of messages shares the same inode (ext3) but has a different filename (for example, 15715. and 21534.). I haven't determined the cause yet, but I believe it may be due to an aborted attempt to reorganize this large collection of emails (almost 20,000 messages). The account is shared among a handful of users who access it concurrently, using the same login and password, which may have contributed to the issue. Is the shared inode a result of Cyrus IMAPd's duplicate suppression? I've been asked to remove the duplicates. Can anyone recommend a safe and simple method for doing so? Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Pruning Duplicates
Wesley Craig wrote, at 08/25/2008 10:45 PM: I've seen this before with Thunderbird. As I recall, Thunderbird requests a lengthy operation but times out (or fills a buffer?) before getting a result back. It then tries the operation again, until the mailbox is woefully full. Interesting. Aside from webmail, Thunderbird is indeed the only other client used to access this account. To clean up, we typically calculate checksums on the files and find duplicates that way. In this case, I can easily find the inodes that reference more than one file: ls -li /var/spool/imap/user/bob/folder | cut -b 1-8 | sort | uniq -d I was hoping to somehow leverage this information to delete the duplicates only, but haven't quite figured it out myself. Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Pruning Duplicates
John Thomas wrote, at 08/25/2008 11:01 PM: Jorey Bump wrote: I've been asked to remove the duplicates. Can anyone recommend a safe and simple method for doing so? I have had success with this Thunderbird extension https://addons.mozilla.org/en-US/thunderbird/addon/956 YMMV, have backups. Thanks, that did the trick, although I used a fork that's being actively developed: http://removedupes.mozdev.org/ It's actually a pretty handy extension, as I discovered while testing on some of my own accounts. Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Couple of questions
Steve Webb wrote, at 07/21/2008 04:35 PM: 1.) If a pop user selects keep messages on server they start to see duplicate emails. I saw that other people on the listserv have also had the same issues, but there's not been any resolution to this issue. Q: How come Cyrus doesn't implement the correct bahaviour, and is there any work-around other than switching to IMAP over POP? I've got pop users that can't access IMAP (using phones for checking email when on travel with leave messages on server then suck down the emails when they arrive back at a desktop). It's not feasable for them to move to IMAP and they require this functionality. This has nothing to do with the POP server. Various POP clients use various methods to keep track of the messages left on the server, so they can avoid downloading them again, where they will appear as duplicates. When pointed to another POP server, this information is no longer valid. The old messages look like new ones, and the POP client downloads them. This will happen even if you migrate to a new server running the exact same version of the POP server you've been using. Fortunately, it will only happen once, and you'll get the same behaviour you had before. Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Postfix can't deliver to cyrus via lmtp
Derek Croxton wrote, at 07/11/2008 02:36 PM: I'm migrating a cyrus + postfix server to Ubuntu Hardy. Everything else works -- old mail is migrated, I can read it, and I can send mail -- but I can't receive mail. It gets stuck in postfix, with the error warning: connect #[x] to subsystem private/lmtp: Connection refused. I discovered that the lmtp socket in Hardy is, by default, /var/run/cyrus/socket/lmtp, and I set master.cf accordingly. I saw one warning that the file needs to be accessible to both the cyrus and the postfix users. The /var/run/socket directory is owned by cyrus:mail, and has permissions of 740. The lmtp file itself is owned by root:root, but has permissions of 777. (Actually, the permissions line reads srwxrwxrwx; I can't remember what the leading s means.) Postfix appears to be running as the postfix user. Thanks far any help you can provide. You should only need to add postfix to the mail group (at least, that's what I do on Slackware, where I have Postfix and Cyrus IMAPd compiled from source). You may still encounter a problem if Postfix is chrooted (the default in Debian-based systems, I believe). It is perfectly safe to not chroot Postfix, and I would recommend this as the easiest solution if it raises issues. Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Cyrus - can't create user mailbox
Stephen Liu wrote, at 06/10/2008 07:42 AM: --- Jorey Bump [EMAIL PROTECTED] wrote: Stephen Liu wrote, at 06/09/2008 09:55 PM: Jun 10 09:14:10 lampserver postfix/lmtp[4989]: 40275878215: to=[EMAIL PROTECTED], relay=none, delay=0, status=deferred (connect to /var/run/cyrus/socket/lmtp[/var/run/cyrus/socket/lmtp]: Permission denied) Postfix can't access your socket. $ sudo ls -l /var/run/cyrus/socket total 0 srwxrwxrwx 1 root root 0 2008-06-10 06:55 lmtp $ sudo ls -ld /var/run/cyrus/socket drwxr-x--- 2 cyrus mail 80 2008-06-10 09:09 /var/run/cyrus/socket Only the cyrus user and members of the mail group can access your socket. $ id postfix uid=107(postfix) gid=111(postfix) groups=111(postfix) Now just add the user postfix to the mail group. Currently, the postfix user only belongs to the postfix group. Users can belong to multiple groups. Add the postfix user to the mail group, so it can access your socket. Sorry I'm not very clear. Whether follow the guy's suggestion running; $ sudo adduser postfix lmtp ??? Thanks I see no lmtp group in your configuration, so I don't expect this to have any effect. On http://unixadmintalk.com/f11/postfix-cyrus21-89421/ Don't blindly follow howtos without understanding the underlying concepts. His output is; $ id postfix uid=101(postfix) gid=103(postfix) groups=103(postfix),45(sasl),1001(lmtp) He is apparently creating specialized groups that presumably have differing needs, which is fine, but you don't need to add this complexity at this stage. You can revisit this once you have a working solution and understand the reasoning behind it, but I wouldn't bother unless your platform imposes this on you. The output here is; $ id postfix uid=107(postfix) gid=111(postfix) groups=111(postfix) Yes. Now add the postfix user to the mail group, and the permissions error should disappear. How about sasl? Concentrate on fixing one error at a time. I don't use a special sasl group on my system. You might not need one, either. Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Cyrus - can't create user mailbox
Stephen Liu wrote, at 06/10/2008 09:21 AM: The output here is; $ id postfix uid=107(postfix) gid=111(postfix) groups=111(postfix) Yes. Now add the postfix user to the mail group, and the permissions error should disappear. I'm prepared to run; $ sudo groupadd mail -g 1001 I didn't say add the mail group. $ useradd postfix -u 1001 -g 1001 I didn't say add the postfix user. Shall I use number 1001? OR another number? Don't. Stop guessing. However on /etc/group I found following entries; mail:x:8:dovecot See, you already have a mail group. Leave it. dovecot:x:113: And you seem to have dovecot installed, which shouldn't be a problem if you're not using it. I don't have dovecot-* running. Shall I remove them manually? Thanks No, you should avoid manually removing applications on systems like Debian. Use the package manager to remove it. There's also a chance that Debian has some utilities for managing your mail system that you may want to look into. Personally, I don't like Debian's wizards, tools, or over-reaching modifications, so I don't use it. But if you like the system they offer, it can be easy to maintain. All you need to do is add the (existing) postfix user to the (existing) mail group. This can be as easy as editing /etc/groups, using the more secure vigr command, or any other number of ways your system provides. You should also be aware of your platform's documentation, especially if it's going to back you into certain corners. In any case, refer to it to learn about permissions, ownership, and how to add a user to a group. Then simply add postfix to the mail group and report back any new errors or success. Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Cyrus - can't create user mailbox
Stephen Liu wrote, at 06/09/2008 01:19 PM: $ cat /etc/postfix/master.cf | grep y This is useless, because: # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (yes) (never) (100) The chroot setting defaults to yes, so a 'y' does not need to be explicitly set. # -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes # -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes verifyunix - - - - 1 verify proxymap unix - - n - - proxymap # When relaying mail as backup MX, disable fallback_relay to avoid MX loops relay unix - - - - - smtp -o fallback_relay= All those dashes represent the specified defaults for that column. No 'y' found. Stop guessing. Post your entire master.cf. - change the path in cyrus.conf to move the socket somewhere bellow the postfix chroot jail. Be carefull cyrus must have enough right in the postfix directory to create the socket. Could you please explain in more detail how to make it? TIA There's no need to run Postfix in a chroot jail. You are better off disabling chroot entirely (explicitly with an 'n' in master.cf). Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Cyrus - can't create user mailbox
Stephen Liu wrote, at 06/09/2008 09:55 PM: Jun 10 09:14:10 lampserver postfix/lmtp[4989]: 40275878215: to=[EMAIL PROTECTED], relay=none, delay=0, status=deferred (connect to /var/run/cyrus/socket/lmtp[/var/run/cyrus/socket/lmtp]: Permission denied) $ sudo ls -l /var/run/cyrus/socket total 0 srwxrwxrwx 1 root root 0 2008-06-10 06:55 lmtp $ sudo ls -ld /var/run/cyrus/socket drwxr-x--- 2 cyrus mail 80 2008-06-10 09:09 /var/run/cyrus/socket $ id postfix uid=107(postfix) gid=111(postfix) groups=111(postfix) Now just add the user postfix to the mail group. Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Problems with load balancing cluster on GFS
Jens Hoffrichter wrote, at 06/06/2008 09:46 AM: But it doesn't seem to be related to entropy. Though on one of the nodes entropy is usually quite low (between 100 and 300), it never drops below the 100 mark, and when running a load test, that node and another failed, and on the one failing was more than 3000 entropy available. To rule it out completely I started rngd on all the nodes, feeding from /dev/urandom (I know, not perfect, but better than nothing ;) ), but that didn't change anything. And I checked the compilation settings for my cyrus-sasl package, it already takes /dev/urandom as entropy source. So I think I can rule it out mostly Yeah, it shouldn't lock with urandom. You might want to play around with poptimeout and popminpoll, to see if that has any effect on your load balancing test. Is jakarta-jmeter distributing these logins among enough different users to simulate real-world conditions? What do your imap/debug logs say when the lockup occurs? While I support POP3, I encourage all of my users to use IMAP, so I don't have many problems with pop3d (except for brute force attacks, which I solved by increasing sasl_minimum_layer, but that won't help you here). Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Not all mailboxes listed when migrating to new server
Keith Edmunds wrote, at 05/27/2008 01:32 PM: If I do a 'lam user.xxx' where user.xxx is one of the accounts not listed, I get 'Mailbox does not exist'. If I send a mail to that user on the new server and repeat the 'lam user.xxx', I get a blank line output, suggesting that the mailbox does now exist but with no acls. The mail sent to that user can be seen in the filesystem. Have you tried to explicitly create the the mailbox after the fact? cm user.xxx This can be done nondestructively. I remember needing to do this for some mailboxes when I used imapsync to migrate from uw-imap. It's inconvenient, but if you're only talking about a fraction of 98 users, it might be feasible. If you've already migrated your data, you might also consider adding some flags to reconstruct: /usr/sbin/cyrreconstruct -rf My most recent migration was between two similar environments using the same version of Cyrus IMAPd (2.3.11). In that case, I simply copied all data to the new server, identified and removed the following Berkely DB files: /var/imap/deliver.db /var/imap/tls_sessions.db /var/imap/db/* Then I started Cyrus, which rebuilt the missing databases. It worked like a charm, with no need for reconstruct or imapsync. However, I don't know if this is an option for the 2.2.x series. Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Problems with load balancing cluster on GFS
Jens Hoffrichter wrote, at 06/05/2008 04:03 PM: At first I thought that this was a problem related to entropy, but it even persisted after I turned off allowapop, and unconfigured everything relating to TLS (as SSL/TLS will be handled completely by the perdition, we don't need it) To rule it out completely, watch it during your test: watch -n 0 'cat /proc/sys/kernel/random/entropy_avail' It might start blocking when it gets as low as 100 (healthy seems to be above 1000). If you're at the console (not a remote terminal), type on the keyboard to add entropy and see if this helps. If it does, you may have a cyrus-sasl that uses /dev/random (the default). Check the source RPM to verify, and adjust it to use /dev/urandom to stop the blocking. Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Protection against POP or IMAP Denial of Service (DOS)
Stéphane BERTHELOT wrote, at 05/20/2008 06:32 PM: - increase security level (SSL/ CRAM-MD5/ ...). In a wonderful world it would be possible but I would bet (but I've not checked yet) that some of our users have pretty broken clients (like old Outl**k...) that would not be able to login anymore. Then we would be stuck or denying some service ourselves ... I suggested this, and I've been extremely happy with the results. Offering secure logins is essential these days, but allowing unencrypted PLAIN or LOGIN authentication is no longer necessary (and quite arguably foolish). At this point, anyone with a system so antiquated it can't cope with TLS, SSL or other secure logins poses more of a threat to your service than a drive-by attacker. It stopped the brute force attacks dead in their tracks on my servers. But this will only last until the attackers add TLS support to their malware, so I agree it would be nice if the Cyrus IMAPd code could be hardened against a DoS. I haven't experienced this debilitating effect with other POP3 servers I've used. In any case, I've found this configuration to be quite effective (I'm using sasldb), and it allowed me to identify and help users that were not configuring clients securely: sasl_pwcheck_method: auxprop sasl_mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5 allowplaintext: no sasl_minimum_layer: 128 Once everyone got settled, I haven't heard a peep, and there are no more DoS-related complaints. I also use the following iptables rules to only allow up to 2 connections in a 15 second period, but haven't determined if they're effective: iptables -A INPUT -p tcp -m state --state NEW --dport 110 -m recent --update --seconds 15 --hitcount 2 -j DROP iptables -A INPUT -p tcp -m state --state NEW --dport 110 -m recent --set -j ACCEPT None of my POP3 users have complained, but I don't have many. Most of my users use IMAP. Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
APOP No Longer Working after Upgrade to IMAPd 2.3.12p2
I upgraded Cyrus IMAPd from 2.3.11 to 2.3.12p2 last night, and a user is now reporting that he can no longer authenticate using APOP. He's getting this error from his client: 'The server error encountered was: The POP server mail.example.net doesn’t support X-APOP authentication. Please check your account settings and try again. ' I haven't changed anything in the configuration that was working fine under 2.3.11. Any ideas? Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: APOP No Longer Working after Upgrade to IMAPd 2.3.12p2
Wesley Craig wrote, at 04/30/2008 02:18 PM: Is this an iPhone? Might look at this: http://www.dannyfoo.com/blog/apple-iphone/malaysia-iphone-x-apop-authentication-support-and-secure-connection-failed/ The user hasn't reported the client, but he's a Mac fan, so this is quite possible. However, I'm also currently grappling with a webmail performance problem. This is why I upgraded Cyrus IMAPd. I've just discovered that, compared to all my other servers, this platform is having difficulty maintaining entropy. If I run a complex find operation, I can build the entropy back up, but it quickly depletes with only a few webmail users making connections. At first, I thought it was an Apache mod_ssl issue, but the Cyrus docs mention that APOP requires a lot of entropy, as well. If anyone has any tips on maintaining entropy on a headless Linux 2.6 machine, I'd appreciate it. I've already switched the drives to different hardware, to no avail. Also, the way the APOP challenge is written out has changed, so I might look there. :wes On 30 Apr 2008, at 11:34, Jorey Bump wrote: I upgraded Cyrus IMAPd from 2.3.11 to 2.3.12p2 last night, and a user is now reporting that he can no longer authenticate using APOP. He's getting this error from his client: 'The server error encountered was: The POP server mail.example.net doesn’t support X-APOP authentication. Please check your account settings and try again. ' I haven't changed anything in the configuration that was working fine under 2.3.11. Any ideas? Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: APOP No Longer Working after Upgrade to IMAPd 2.3.12p2
Wesley Craig wrote, at 04/30/2008 04:26 PM: Two options: some motherboards have an entropy generator hardware device; or, use the random device that doesn't block when entropy is low. I think Cyrus IMAPd uses /dev/urandom by default, but I'm not sure how I can confirm this. I didn't specify anything during compilation, and I can't find a runtime setting to explicitly select the random device, either. In any case, I can now faithfully trigger the problem by making multiple webmail requests until the browser hangs, then hold down the spacebar of the server's keyboard to build up entropy until the request is served and performance returns to normal. I haven't had a chance to check if this restores APOP, though. Maybe an IMAP proxy would help prevent the webmail from depleting the entropy, but I'm still wondering why this is a problem on this server running Linux kernel 2.6 and not my other IMAP servers running Linux kernel 2.4. I have an identical Linux 2.6 server that isn't having this problem, and the only difference is that it doesn't have Cyrus IMAPd on it. Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: APOP No Longer Working after Upgrade to IMAPd 2.3.12p2
Andrew Morgan wrote, at 04/30/2008 05:15 PM: Cyrus IMAP calls out to the sasl libraries to generate the APOP challenge. On my Debian Etch system, libsasl2.so uses /dev/random. How do you determine if it uses /dev/random? Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: APOP No Longer Working after Upgrade to IMAPd 2.3.12p2
Andrew Morgan wrote, at 04/30/2008 08:05 PM: On Wed, 30 Apr 2008, Jorey Bump wrote: Andrew Morgan wrote, at 04/30/2008 05:15 PM: Cyrus IMAP calls out to the sasl libraries to generate the APOP challenge. On my Debian Etch system, libsasl2.so uses /dev/random. How do you determine if it uses /dev/random? cyrus-be2:/usr/lib/sasl2# strings /usr/lib/libsasl2.so.2.0.19 | grep random /dev/random This is the case on all of my machines. I looked at the source package of my distribution (Slackware) and it compiles Cyrus SASL with the default of /dev/random. I recompiled it to use /dev/urandom, and my webmail connections no longer hang. I still lose entropy fairly quickly, but it doesn't block. Hopefully, there isn't a strong downside to this change. Using pop3test, I'm able to authenticate with APOP. Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: cyrus pop3 question
Corey wrote, at 04/16/2008 04:29 PM: I just had an experience where my server was getting slammed with thousands of concurrent pop3 requests. This went on for over an hour before it finally ceased, at which point I was able to start cyrus again. Anyhow, what are some mechanisms to prevent this in the future? I've managed to stop such brute force password attacks by requiring encryption for all connections in imapd.conf: sasl_pwcheck_method: auxprop sasl_mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5 allowplaintext: no sasl_minimum_layer: 128 Your environment may be different and require some tweaking. Test thoroughly after making the changes. So far, I've only seen plaintext brute force attacks against POP3, so maybe it's a limitation of current malware. Nearly all modern clients can deal with this restriction, and it's good best practice. Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: how to use cyradm with imaps ?
Andrew Morgan wrote, at 04/14/2008 12:44 PM: Isn't there a way to have Cyrus listen on the regular IMAP port (143) but require a secure connection to login? Some trick with allowplaintext and/or sasl_minimum_layer? Yes. For example: sasl_pwcheck_method: auxprop sasl_mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5 allowplaintext: no sasl_minimum_layer: 128 To connect with cyradm using TLS: cyradm localhost -tls Who cares if you listen on 143 as long as people aren't sending passwords in the clear. TLS is as good as SSL. Agreed. Furthermore, it stops a lot of brute force password cracking attempts dead in their tracks, since most don't attempt to use encrypted connections (they're looking for low hanging fruit, I guess). Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: STARTTLS on Cyrus IMAPd 2.3.11
Andrew Morgan wrote, at 03/20/2008 12:20 PM: Just for reference, I'm using the following TLS settings with 2.3.11 just fine: tls_ca_file: /etc/ssl/certs/thawte-premium.pem tls_ca_path: /etc/ssl/certs tls_cert_file: /etc/ssl/certs/imap.onid.oregonstate.edu.crt tls_key_file: /etc/ssl/certs/imap.onid.oregonstate.edu.key I only bothered adding tls_ca_file because I kept getting worthless log messages on every new connection: TLS server engine: No CA file specified. Client side certs may not work Hah, now I'm getting them, too. :) We are not using SSL client certificates, so tls_ca_file is irrelevant in our situation. Maybe the format of your CA bundle file is not what openssl expects? Do you get valid output when you run: openssl x509 -in /etc/ssl/certs/your-ca-bundle -text I'm not sure. There are no errors, but it only displays the first certificate in the bundle. This is true of my local bundle and any bundle included with the system by various applications. On a lark, I pointed tls_ca_file to an old root certificate I once needed for a chained root. It contains only a single certificate, and STARTTLS connections on port 143 work when it is defined. So, maybe bundles are no longer acceptable in tls_ca_file? I guess if one needs to use client certificates, tls_ca_file should contain a single root? If one needed to support multiple roots, perhaps use tls_ca_path instead? I guess I'll deal with those issues as they come, since I apparently don't need to define tls_ca_(file|path) at all for normal operation (unless I want to eliminate annoying log messages). Thanks for the additional info, it helped reveal more details, but it would sure be nice to see some clarifying documentation. I still don't know why the behaviour changed between 2.3.7 to 2.3.11, and if it represents a fix or a potential bug. Why is the CA file checked if no client cert is presented (unless it's needed for SASL-IR)? I'll have to search the changelog or code when I have the time. Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: STARTTLS on Cyrus IMAPd 2.3.11
Wesley Craig wrote, at 03/20/2008 01:57 PM: On 20 Mar 2008, at 13:07, Jorey Bump wrote: On a lark, I pointed tls_ca_file to an old root certificate I once needed for a chained root. It contains only a single certificate, and STARTTLS connections on port 143 work when it is defined. This suggests a specific problem with the cert bundle you're using. I think you're right. I just tried all of the other bundles that came with the system and met with mixed results. The only one that worked that contained multiple certificates was provided with curl 7.16.2. It's definitely in a different format: Cert Title == MD5 Fingerprint: [fingerprint] PEM Data: -BEGIN CERTIFICATE- [certificate in PEM format] -END CERTIFICATE- Certificate Ingredients: [verbose data] ...more certs... The ones that fail are simply bundles of the PEM data only: -BEGIN CERTIFICATE- [certificate in PEM format] -END CERTIFICATE- ...more... Cyrus 2.3.11 (and possibly other versions after 2.3.7) no longer seems to like these. Why is the CA file checked if no client cert is presented (unless it's needed for SASL-IR)? I'll have to search the changelog or code when I have the time. The way the code is currently written, if you're using imaps, the server will be implicitly prepared to accept a client cert. Of course, if no CAfile is defined, you'll get that spurious error! There seems to be an assuption that CAfile implies something different than CApath -- it doesn't. I think the code should be changed to not tell the client that a cert will be accepted if neither CAfile nor CApath is defined. Does it? They're empty by default, which fixed my problem, so isn't that already the case? Does your Thunderbird have access to any client certificates? Since the server will advertise that it accepts them, even tho it probably can't use them, I wonder if this isn't the cause of your version mismatch error message. Well, it's working with the curl bundle, so your earlier suspicion about the incompatible bundle bears out. I encountered the problem with both Thunderbird and imtest. Since imtest easily supports testing with client certificates, I'll try it out when I get a chance. It will be interesting to add some different local roots and test with multiple certificates. In the meantime, I'll just use the curl CA bundle as a matter of routine. Thanks for the help! Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: STARTTLS on Cyrus IMAPd 2.3.11
Wesley Craig wrote, at 03/19/2008 04:53 PM: You know, this *almost* sounds like you've configure Thunderbird to do TLS on the imaps port. No, its connecting to port 143 with TLS checked. I've provided my cyrus.conf in another message, where you can see I'm running imapd without the -s switch on the imap port: imap cmd=imapd listen=imap prefork=0 So I'm not wrapping that in SSL like the imaps port: imaps cmd=imapd -s listen=imaps prefork=0 Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: STARTTLS on Cyrus IMAPd 2.3.11
Andrew Morgan wrote, at 03/19/2008 06:57 PM: Those look fine to me. I'm not sure about the sasl_minimum_layer setting. Have you tried setting that to 0? Yes, but no joy. :( Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: STARTTLS on Cyrus IMAPd 2.3.11
Patrick T. Tsang wrote, at 03/19/2008 07:07 PM: try this: ... sasl_mech_list: PLAIN LOGIN ... No effect. Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: STARTTLS on Cyrus IMAPd 2.3.11
Jorey Bump wrote, at 03/19/2008 06:41 PM: tls_ca_file: /etc/ssl/certs/local-ca-bundle.crt This seems to be the cause of the problem. If I remove this setting, everything works as expected. Note that this didn't interfere on 2.3.7. The entry in imapd.conf(5) isn't very illuminating: tls_ca_file: none File containing one or more Certificate Authority (CA) certificates. Is this used for verifying client certificates? If so, why wouldn't it be possible to have it defined and still accept other means of authentication? What's changed about this parameter since 2.3.7? Fortunately, I don't appear to need it, and can no longer remember why I defined it in the first place (unless it's needed for chained certificates or local CAs, which I once used on the 2.3.7 production machine, but switched to a single root certificate). Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: STARTTLS on Cyrus IMAPd 2.3.11
Wesley Craig wrote, at 03/18/2008 08:48 PM: On 18 Mar 2008, at 17:55, Jorey Bump wrote: http://lists.andrew.cmu.edu/pipermail/info-cyrus/2008-January/028210.html Do you use client certificates? Because the message you're quoting is about someone who does: http://lists.andrew.cmu.edu/pipermail/info-cyrus/2008-January/028124.html I guess the title of that thread pointed at the problem: 2.3.11 STARTTLS broken if tls_ca_file is defined. But I'm almost sure I tried undefining tls_ca_file as soon as I saw that. Anyway, removing tls_ca_file from imapd.conf has solved my problem. Thanks for the help. Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
STARTTLS on Cyrus IMAPd 2.3.11
I'm migrating from Cyrus IMAPd 2.3.7 to 2.3.11. I've moved all the data to the new environment and rebuilt the necessary databases. Everything seems to be working fine, with the exception of STARTTLS connections to port 143 from *remote* machines. The following imtest logins work fine when run on the local machine (mail.example.net): imtest -u jorey -a jorey -t localhost imtest -u jorey -a jorey -s localhost imtest -u jorey -a jorey -t mail.example.net imtest -u jorey -a jorey -s mail.example.net The following works when run remotely (imaps, port 993): imtest -u jorey -a jorey -s mail.example.net But STARTTLS on port 143 fails remotely: imtest -u jorey -a jorey -t mail.example.net Output of imtest: S: * OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID STARTTLS LOGINDISABLED AUTH=DIGEST-MD5 SASL-IR] mail.example.net Cyrus IMAP4 v2.3.11 server ready C: C01 CAPABILITY S: * CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID STARTTLS LOGINDISABLED AUTH=DIGEST-MD5 SASL-IR ACL RIGHTS=kxte QUOTA MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT SORT=MODSEQ THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE CATENATE CONDSTORE IDLE URLAUTH S: C01 OK Completed C: S01 STARTTLS S: S01 OK Begin TLS negotiation now verify error:num=19:self signed certificate in certificate chain Odd, because it's a commercial certificate, but this error is also present in successful logins on the local machine, so it shouldn't be a showstopper. From /var/log/imapd.log: Mar 18 15:51:13 mail imap[6203]: STARTTLS negotiation failed: [10.1.10.94] Thunderbird 2.0.0.12 produces this error, twice in a row for a single attempt to access a mailbox: Thunderbird can't connect securely to mail.example.net because the site uses a security protocol which isn't enabled. My Cyrus IMAPd 2.3.7 installations work fine. Has there been a change to the way 2.3.11 handles STARTTLS on port 143? Is there a new default I have to override in imapd.conf? Do I need to explicitly set a cipher list? Any tips concerning this issue would be appreciated. Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: STARTTLS on Cyrus IMAPd 2.3.11
Wesley Craig wrote, at 03/18/2008 04:44 PM: On 18 Mar 2008, at 16:11, Jorey Bump wrote: Everything seems to be working fine, with the exception of STARTTLS connections to port 143 from *remote* machines. C: S01 STARTTLS S: S01 OK Begin TLS negotiation now verify error:num=19:self signed certificate in certificate chain Who signed the certificate? issuer=/C=US/O=Equifax Secure Inc./CN=Equifax Secure Global eBusiness CA-1 It's the same key/certificate I'm using on the production machine running 2.3.7, so I don't think there's anything wrong with the certificate. As I mentioned, it doesn't stop local connections, which proceed beyond that error. And imaps (port 993) connections work fine with the same system/certificate. The failed Thunderbird connections cause this entry in the debug log: Mar 18 17:48:54 mail imap[6279]: accepted connection Mar 18 17:48:55 mail imap[6279]: wrong version number in SSL_accept() - fail Mar 18 17:48:57 mail imap[6279]: accepted connection Mar 18 17:48:57 mail imap[6279]: wrong version number in SSL_accept() - fail Searches for this error and Cyrus IMAP turn up another posting in January that was apparently never resolved: http://lists.andrew.cmu.edu/pipermail/info-cyrus/2008-January/028210.html I'm concerned I'll have to regress to an earlier version, but I'm hoping there is a simple fix for this. Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: STARTTLS on Cyrus IMAPd 2.3.11
Wesley Craig wrote, at 03/18/2008 08:48 PM: On 18 Mar 2008, at 17:55, Jorey Bump wrote: http://lists.andrew.cmu.edu/pipermail/info-cyrus/2008-January/028210.html Do you use client certificates? Because the message you're quoting is about someone who does: http://lists.andrew.cmu.edu/pipermail/info-cyrus/2008-January/028124.html No, i don't use client certificates, but the part of that discussion I found in my search was very similar to my problem. I'm focusing now on the open_ssl error wrong version number and just realized the current system uses openssl 0.9.7l, while the new environment uses openssl 0.9.8e. This might be significant, but I haven't found anything conclusive. I know that other bugs were introduced with this release. Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: STARTTLS on Cyrus IMAPd 2.3.11
Jorey Bump wrote, at 03/18/2008 09:18 PM: I'm focusing now on the open_ssl error wrong version number and just realized the current system uses openssl 0.9.7l, while the new environment uses openssl 0.9.8e. This might be significant, but I haven't found anything conclusive. I know that other bugs were introduced with this release. Taking another tack, I configured Postfix to use the same certificate and STARTTLS connections work fine. So, there's no interference from my network connection, and my openssl version seems to present no obstacle that can't be overcome. Can anyone confirm that STARTTLS connections to port 143 work with 2.3.11? Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: IMAPD Authentication failed. generic failure
J.J. Day wrote, at 03/17/2008 01:53 AM: auth.log == Mar 16 23:38:40 dc-mail imap[3700]: could not find auxprop plugin, was searching for [all] It's been a while since I compiled my own Cyrus SASL, but when I did, I used to need a symlink: ln -s /usr/local/lib/sasl2 /usr/lib/sasl2 Give it a try, and if it doesn't work, provide your imapd.conf. Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: IMAPD Authentication failed. generic failure
J.J. Day wrote, at 03/17/2008 11:25 AM: auth.log == Mar 16 23:38:40 dc-mail imap[3700]: could not find auxprop plugin, was searching for [all] It's been a while since I compiled my own Cyrus SASL, but when I did, I used to need a symlink: ln -s /usr/local/lib/sasl2 /usr/lib/sasl2 Give it a try, and if it doesn't work, provide your imapd.conf. Creating the symlink is part of the instructions for the SASL install so it was done before IMAPD was compiled. What are the contents of /usr/lib/sasl2? Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: IMAPD Authentication failed. generic failure
J.J. Day wrote, at 03/17/2008 12:12 AM: [EMAIL PROTECTED] etc]# imtest -u cyrus -m login localhost Try this instead: imtest -u cyrus -a cyrus -t localhost Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Error creating mailboxex with an inside
Toschi Pietro wrote, at 02/05/2008 06:57 AM: Apparently, cyrus-imapd does not support mailboxes with some letters inside the name. “” is one of that. I have some mailboxes containing that symbol to be migrated from another server (SUN) but I always get an error. Looking at the IMAP RFC it seems very complex to me to understand what characters are supported and how by the protocol. I wander if there is a way to make cyrus accept such mailboxes, for example using some sort of escape sequences, encoding rules or so. Do someone have a solution to this annoying problem? In Thunderbird, I can create a new folder named: thisthat This results in a directory on the server named: this-that What tool are you using to migrate your mailboxes? Hopefully, something like imapsync will take care of these details for you. Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Plaintext only for loopback?
Chris Pepper wrote, at 01/13/2008 06:48 PM: Arrgh! SquirrelMail offers plain, cram-md5, and digest-md5, and only plain appears to work against /etc/shadow. I don't want the overhead of running TLS over loopback, so I think I will have to do without forcing secure auth for non-SSL IMAP/POP, and use the firewall to prevent Internet users from connecting over the Internet w/o SSL (so I don't have to worry about them unwisely using PLAIN or LOGIN over plaintext connection). Using TLS over loopback isn't entirely crazy, especially if webmail accounts only for a fraction of your service (unless your platform has a serious problem maintaining entropy). There are also compelling reasons to switch to sasldb for mail accounts. I used /etc/shadow for years, but I have to say I'm happy I switched, in spite of some of the negatives. The truth is that less than 1% of my mail users need shell accounts, so there's no incentive to create them as system users, and there's no obstacle to providing shells to the users that need them. Creating users in sasldb isn't that much harder, and is more in keeping with the black box paradigm employed by cyrus. Some mail clients use the md5 methods by default, or failover to them, so it's worth adding support. Give it a try, you might like it. Pity. It would be nice to have the option of doing IMAP on the IMAP port without worrying about unencrypted plaintext auth. Thanks, Chris PS-Bron, I don't want to deal with multiple instances, and I don't need too, since I can firewall IMAP (non-SSL) and only let SquirrelMail connect to port 143. I'm not looking forward to the SpamAssassin/ClamAV sandwich on the SMTP side. Don't co-opt a standard port for a nonstandard purpose. Bron Phil have both indicated how Cyrus IMAP offers additional options. It's not always obvious in the documentation, but there are roughly three kinds of options: Global settings Named service settings Arguments Don't be deceived by the service names in cyrus.conf; they are just arbitrary strings. You can create an imapd service dedicated to SquirrelMail and call it anything you want: imap cmd=imapd listen=192.168.1.100:143 prefork=0 imaps cmd=imapd -s listen=imaps prefork=0 nuts cmd=imapd listen=localhost:143 prefork=0 Just make sure you avoid IP or port conflicts. Now you'll need to either prefix the appropriate settings in imapd.conf for each named service: imap_tls_cert_file: /path/to/cert.crt imaps_tls_cert_file: /path/to/cert.crt nuts_tls_cert_file: disabled ... Or simply create a dedicated configuration file for the new service, and specify it in cyrus.conf: nuts cmd=imapd -C /etc/nuts.conf listen=localhost:143 prefork=0 So, what you want to do is supported, it's just not intuitively obvious, because there's a fair amount of flexibility and interaction between settings at different levels. NOTE: I've set this up in the past, but didn't confirm the examples above. Be sure to consult the documentation for your version of Cyrus IMAP. Using a separate imapd config file may be the safest way to get your alternate service running to your specifications without disrupting an existing configuration too much (and follow Bron's advice and version control everything). Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Plaintext only for loopback?
Chris Pepper wrote, at 01/13/2008 01:59 AM: I want to allow plaintext auth only for SquirrelMail (running on the Cyrus IMAPd server), and require encrypted authentication over all physical network connections. Why do you want plaintext auth only for SquirrelMail? It supports TLS, alternate ports, CRAM-MD5, and DIGEST-MD5. For example, My Squirrelmail is set up to use LOGIN/TLS on port 993 (settings inherited from a historical setup, I can also support the other options). Are you trying to avoid the overhead of TLS? Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Squirrelmail with Cyrus
Jeremy Ford wrote, at 12/07/2007 08:24 AM: This works for me... $imap_server_type = 'cyrus'; $default_folder_prefix = ''; $trash_folder = 'INBOX/Trash'; $sent_folder= 'INBOX/Sent'; $draft_folder = 'INBOX/Drafts'; That is for systems with unixhierarchysep enabled. Default systems will use INBOX.Trash, etc. Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: recipient checking
Daniel Aquino wrote, at 12/08/2007 04:52 PM: Can saslauthd be overloaded to support recipient checking? saslauthd is an authentication server. It has no concept of recipient. While it may authenticate [EMAIL PROTECTED], it can't be assumed that this construct matches the [EMAIL PROTECTED] in an email address (none of mine do). It also has no ability to map aliases to users. What problem are you trying to solve? Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: digets md5 without tls ?
Guillermo Gómez wrote, at 12/04/2007 04:55 PM: My first question is regarding digest-md5 authentication and tls, can it be done without the tls layer? Yes. You can do this to offer some means of encrypting authentication without requiring TLS. It (typically) does not encrypt the rest of the message, though, which will be downloaded in the clear. If you do this, make sure you do not also offer PLAIN or LOGIN authentication without TLS. Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Cyrus and Postfix on separate machines -- how?
Rich Wales wrote, at 11/23/2007 11:05 PM: I currently have both Postfix (2.3.5) and Cyrus (2.3.9) running on a single server. Postfix does its thing (including spam and virus filtering) and then invokes Cyrus's deliver program to deliver messages. I would like to move my Cyrus onto a separate system from my Postfix. The reason is because I'm having problems with my Cyrus and want to try setting up a new version of Cyrus (2.3.10) on a different platform, but I would prefer to keep my working Postfix setup where it is for now. What's confusing me here is that I'm not sure how to configure Postfix so it can deliver a message over my LAN to a separate Cyrus server, instead of delivering it over a Unix-domain socket to Cyrus running on the same box. Any suggestions? Use LMTP. See lmtp(8) for more details, but you'll probably use something like this in main.cf: mailbox_transport = lmtp:inet:mail.example.com And enable lmtp in cyrus.conf on the destination: lmtp cmd=lmtpd listen=lmtp prefork=0 Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Replication: problems with synctest
Rich Wales wrote, at 11/14/2007 06:13 PM: It looks like my problem with replication not working in one direction was a SASL thing. One of my servers was advertising GSSAPI as an authentication mechanism, but it didn't really work (I don't have Kerberos installed on my systems). Apparently, sync_client on the other box was deciding to use GSSAPI, but was giving up because it wasn't actually functional. I fixed the problem by moving the libgss* libraries out of the SASL2 library directory. While I was at it, I also moved the libntlm* and libotp* libraries out of the SASL2 library directory, since I'm not using either of these authentication methods either. I'm mildly concerned that a future software upgrade might cause these libraries to reappear. Is there a more reliable way to disable SASL authentication mechanisms, other than removing files from the library directory? I don't use replication, but for normal authentication, I'm able to specify which mechanisms are advertised by including this in imapd.conf: sasl_mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5 Maybe this (or some variation) will also work for replication, and you can leave the libraries in place. Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Turn on/off IMAP/POP access?
Anders Norrbring wrote, at 10/07/2007 07:06 AM: Is there a way to disable a specific user's access to POP and IMAP in Cyrus? I still want the mail to be delivered to the mailboxes (done via LMTP), but I would like to turn off the user from getting the mail. In case you wonder, it's for a pay system, so if they don't pay, the don't get access. I would imagine that the Cyrus way would be to change the ACL on the user's mailbox, using cyradm (or Cyrus::IMAP::Shell, in a perl script): List ACLs: localhost lam user.bob bob lrswipkxtecda Delete ACLs: localhost dam user.bob bob read List again, to confirm ACLs: localhost lam user.bob Now bob can't read his INBOX, and will get a message like the following when he tries (this is from Thunderbird): The current command did not succeed. The mail server responded: Mailbox does not exist. Note that subfolders are still available. Denying access to the INBOX could be enough of an inconvenience to get the user's attention. To restore access to the INBOX: localhost sam user.bob bob all You can also apply the ACL to all subfolders, so they can't access anything: localhost dam user.bob.* bob read To restore access to all subfolders: localhost sam user.bob.* bob read This approach seems preferable to deleting the password, so you or the user won't have to reset it. For information on setting ACLs, see the cyradm man page. Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Turn on/off IMAP/POP access?
Ken Murchison wrote, at 10/07/2007 07:51 PM: Jorey Bump wrote: Delete ACLs: localhost dam user.bob bob read Now bob can't read his INBOX, and will get a message like the following when he tries (this is from Thunderbird): This won't work since Cyrus implicitly gives user's at least 'lca' rights on their own mailboxes, regardless of the explicitly granted ACL. Interesting. I tested this only with Thunderbird, and it seemed to be effective enough (I didn't test delivery, however). Is the average user able to restore the necessary ACLs, or does it require special knowledge or client features? Also, what is the 'c' ACL? It's not listed on the man page (for my version). Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: POP3 retvied mails should be marked as read - how?
Georgy Goshin wrote, at 09/29/2007 06:12 AM: I need the Cyrus POP3 server marks all messages read by client but left on server as read. How to do this? POP3 does not mark messages as read. The client downloads the messages, then *it* tracks which messages are read. For obvious reasons, you don't want to mark messages as read merely because they have been downloaded. Tricks played with the deprecated LAST command are not reliable. The feature you want can only be done by modifying the POP3 client to use IMAP to mark messages as read when messages left on the server are read by the POP3 client. I doubt you'll be able to convince any developer to make such a modification, since IMAP already provides this functionality. IOW, switch to IMAP. Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Relation of filesystem to Cyrus mailbox structure
Rick Kunkel wrote, at 09/14/2007 11:27 AM: Where I've been stuck recently is trying to figure out things like how to manipulate mailboxes by using the file system. Don't do that. That's the black box part of Cyrus IMAP. Forget about all the cool things you could do by directly manipulating mbox files. Here's the latest: I have a user that we migrated from mbox. She has her inbox folder, which migrated fine. Then she has a couple of other folder, which migrated fine. Then she has folders within folders, and those refuse to show up, and it won't let her subscribe to them. Here's how it they're in the filesystem: /var/mail/j/user/janedoe -- Inbox: Migrated fine /var/mail/j/user/janedoe/folder1 -- Also migrated fine /var/mail/j/user/janedoe/folder1/folderA -- I can't get to show I don't think the user really NEEDS the folder called folder1 above, but wants the folders inside of it. So I tried to move folderA back one level so that it was sitting inside the /var/mail/j/user/janedoe folder, but that doesn't work. I figured I had to run a reconstruct command, but no avail there either. This is one area migration tools failed me, as well. None of them were able to automatically create the mailbox that corresponds to the *directory* that held mbox files, even via IMAP. They were able to preserve the structure, however. If Cyrus IMAP complains: localhost lam user.janedoe.folder1 Mailbox does not exist Then you must create the mailbox: localhost cm user.janedoe.folder1 Don't worry, it won't delete or overwrite anything on the filesystem, it's just registering the existence of the mailbox in the blackbox system. Check again, then repeat the process for any other mailboxes that still don't exist. I never did find a way to completely automate this for an entire mailstore. I was quite surprised to discover that most users don't even bother to move mail out the INBOX, let alone organize them in multiple levels of subdirectories, so I managed to do most of it manually. Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: can sieve script flag the whole thread?
Zhang Weiwu wrote: I read the RFCs and documents I can find on the internet, it seems it's not possible for sieve to flag a thread. I need such an action that not only setflag the current email, but also any other emails in the same thread in the folder. This is useful to organize workflow in our business, each workflow is a discussion thread and if someone send an email to this thread with subject Done, the whole thread should be flagged or moved to another folder. Being able to setflag (or move messages) for a whole thread of discussion is vital to use sieve to help us organize email, otherwise we probably wouldn't put as much information in email and try develop a web application on our own. Can this be done? Help really appreciated. It's an interesting idea, and I've often mused on leveraging IMAP features to form the core of a trouble ticket system. However, you're going to want to reevaluate the idea of having user-created email content trigger events. It's fine for categorization and even some types of merging, but setting a ticket's status should require an explicit action to avoid unpredictable or externally influenced results. You will also get better compatibility among different clients if you try to preserve the Subject header as much as possible. Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Spam and sieve vacation
Janne Peltonen wrote: The policy in our university has long been to discourage using auto responders (two of the main reasons being, we don't want to end up forwarding spam to innocent third parties, and neither want to automatically confirm to a spammer that an address works - auto-answers to lists and other traditional pitfalls are more easy to avoid). So we don't support sieve vacation, either. [snip] Now I'd like to ask the people on this list about their experiences using the sieve vacation module. The risks of automatically responding to spam / automatically forwarding spam / ending up in sorceror's apprentice mode / ending up having our mail servers blacklisted as spam relays - would they be acceptably low? The risks are dependent on how effective your antispam measures are. If you find that your institution is still delivering a high amount of spam to user inboxes, it might be wise to continue the ban on autoreponders. If you don't get much spam, sieve vacation is suitable. Providing a usable frontend for ordinary users is the real challenge. Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Spam and sieve vacation
Janne Peltonen wrote: On Fri, Aug 24, 2007 at 07:47:28AM -0400, Jorey Bump wrote: If you don't get much spam, sieve vacation is suitable. But how much is much, in your opinion? Say, 4 spam messages per day per user, with 50 000 users? Would that be much? If, during summer, 25% of our users were to have vacation active at any given time, that'd result in 50 000 vacation spams per day... In my opinion, no amount of backscatter is acceptable, so I don't allow user-configurable autoresponders or forwarding. My antispam measures have reduced the amount that makes it to the user's inbox to about 5/week, so I will make a rare exception, but only if I configure it myself. Forwarding has proven to be more risky than autoresponses, because agressive ESPs can create a temporary DoS to their sites for the entire server. This is particularly frustrating when the cause is your own user marking a forwarded message as spam. On systems that I use but don't manage, autoresponders and forwarding do cause problems, and servers get publicly blacklisted regularly. There is also an increase in volume caused by the backscatter from autoresponses, affecting both bandwidth and storage needs. That said, both features can be useful and even justifiable, but have fallen into disfavor due to the problems they cause. RFC 3834 compliance and continual evaluation of your antispam measures will help. Unfortunately, demand for these features often has a political component that can affect you professionally, so only you can decide what's best. Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: better techniques to identify and remove zero-day viruses from cyrus store sought
John Crawford wrote: Sieve is during delivery to the cyrus store though. As we have the capability to identify hazards to our users, I'd like to be able to exercise central strategies improve their quality of life. So I seek tools to leverage after detection to aid with removal or remediation. Maybe would be nice to have a just-in-time scan interface at the cyrus message level just as a message is being accessed. CPU processing is getting cheaper all the time. Hmm, this is an interesting problem. At one extreme, you're changing the mailstore or connection while the user is logged in, which could result in some confusion (and possibly trigger some client software issues). At the other extreme, you may have an account that hasn't been checked for weeks, so it's fine to remove malicious messages that have accumulated due to lack of detection before delivery. You also have to be careful not to remove messages that have been forwarded to your support address, as they will contain strings that may trigger detection. To handle all cases safely, you'd probably want to script using Cyrus::IMAP::Shell, so all changes are performed via IMAP. You can do this safely with Cyrus because it supports concurrent R/W access. Instead of deleting these messages, you'll want to put them in a quarantine account so you can restore them in the case of false positives. I'm still not sure I'd be comfortable doing this beneath the nose of a logged in user. I'd also hesitate to touch anything outside the INBOX (and any quarantine folders you provide), since it can be assumed that the message was moved due to user action. I'd probably test this for a long time only on accounts that aren't being checked regularly (this also has the benefit of reducing the size of abandoned accounts). Have you found that the risks justify this effort? Are your ClamAV scans of the mailstore turning up anything? Are they serious threats? Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: better techniques to identify and remove zero-day viruses from cyrus store sought
Jorey Bump wrote: Have you found that the risks justify this effort? Are your ClamAV scans of the mailstore turning up anything? Are they serious threats? I've just scanned a mailstore with ClamAV, and about 95% of the 'FOUND' infected files were false positives. Here there be dragons. Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: better techniques to identify and remove zero-day viruses from cyrus store sought
John Crawford wrote: What's the best way, and second best way to react to zero-day virus threats - messages that are delivered to the mail store before the detection is in place? Any detection that can take place in the mail store can (and should) be moved up the chain, preferably to the MTA. Is there a best practice that functions nicely within the cyrus community? Yes, once a message is delivered, leave it alone. The most you should do at that point is maybe provide an opt-in sieve rule that stores suspicious messages in a special folder. But even this has caveats, and I prefer to let the users sort their own mail. Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Basic configuration
Todd Lyons wrote: Jesus, just run 'passwd cyradm' and set it to whatever the heck you want. He needs to set a password for the user(s) in the admins list in imapd.conf. The imapd.conf he supplied includes this: # Uncomment the following and add the space-separated users who # have admin rights for all services. #admins: cyrus Since the line is still commented out, it would appear he has specified no admins. He should uncomment this line, then set a password for the cyrus user: passwd cyrus That's assuming the cyrus user exists, and is intended for cyrus administration on his system. He should also view the man page for imapd.conf: man imapd.conf and pay close attention to the admins entry under FIELD DESCRIPTIONS, which, on my version (2.3.x) says: admins: empty string The list of userids with administrative rights. Separate each userid with a space. Sites using Kerberos authentication may use separate admin instances. Note that accounts used by users should not be administrators. Administrative accounts should not receive mail. That is, if user jbRo is a user reading mail, he should not also be in the admins line. Some problems may occur otherwise, most notably the ability of administrators to create top-level mailboxes visible to users, but not writable by users. Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: create IMAP user, or whatever
Sam Przyswa wrote: Mogens Melander a écrit : Hmm. you might want to breeze trough some of the rather comprehensive documentation that accompanies this software suite. You might find some hints. Did you think that I don't read the doc before post ? At this time I can't run cyradm or add-cyrus-user as I said in my mail, tell me what I missed in the doc and where find the mysterious password to run cyradm, the Webmin module don't work too because the same reason. There is no default password. This is something that the administrator must set. There is more than one way to do this. We'll need to know more about your configuration. A good start would be to provide your /etc/imapd.conf. Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: unified tld - [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED] to the same cyrus user.joe mailboxes
Maulvi Bakar wrote: Hi all I have a system which accepts mails for example.com, example.net and example.org. Rather than creating 3 differing mailboxes on cyrus, it is decided to create 1 mailbox for all the TLDs, since all the domains involved refers to the same entity. Right now, I can receive mails for [EMAIL PROTECTED] which will be delivered to cyrus user.joe mailbox. I would appreciate if some kind soul would be explain howto deliver mails for [EMAIL PROTECTED] and [EMAIL PROTECTED] to cyrus user.joe mailbox as well. My setup is currently as thus - CentOS 5 Postfix Cyrus OpenLDAP I configure all of my domains as virtual_alias_domains in Postfix: virtual_alias_domains = /etc/postfix/vhosts /etc/postfix/vhosts is simply a text file listing my domains: example.com example.net example.org Then I explicitly map all addresses for each domain in virtual_alias_maps: virtual_alias_maps = hash:/etc/postfix/virtual /etc/postfix/virtual maps each address to unique users (or aliases in alias_maps): [EMAIL PROTECTED] admin [EMAIL PROTECTED] joe [EMAIL PROTECTED] joe [EMAIL PROTECTED] admin [EMAIL PROTECTED] joe [EMAIL PROTECTED] joe [EMAIL PROTECTED] admin [EMAIL PROTECTED] joe [EMAIL PROTECTED] joe [EMAIL PROTECTED] jane In this example, joe corresponds to the Cyrus mailbox user.joe, but admin is expanded in /etc/mail/aliases to other users (both local and external). Final delivery is done via LMTP to Cyrus: mailbox_transport = lmtp:unix:/var/imap/socket/lmtp Sorry, I don't use LDAP, I use sasldb2 for authentication. To simplify things, I put all users in the same realm, regardless of the email domain(s) they belong to: smtpd_sasl_local_domain = mail.example.net Note that I'm using a generic realm that is portable between machines. This is *not* necessarily the local machine's hostname (and it doesn't even need to be a hostname, you can use just about anything you want). One advantage of using a single realm is that I can support bare username logins by making it the defaultdomain in /etc/imapd.conf: defaultdomain: mail.example.net Finally, be sure to support delivery of mixed-case addresses in /etc/imapd.conf: lmtp_downcase_rcpt: true Aside from not using LDAP, my standard setup sounds identical to what you're trying to achieve. Hopefully, this is enough to get you started. Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Method to drop unknown user messages to black hole
Bob Bob wrote: My first question is a general one. Do you all choose to send reject/nonexistent user messages or just black hole them? Rejecting is obviously the simplest solution but I am concerned about being blacklisted from sending garbage back out. There are ways of course to stop backscatter happening but I am also concerned that there are valid bounces being created that the (real) sender needs to know about. I'd like to hear what your solutions have been. Best practice is to reject invalid recipients from the sending client during the SMTP transaction. This will not get you blacklisted, as you will not be the source of any backscatter. I use Postfix to deliver to Cyrus via LMTP, and rejecting invalid recipients works just fine. Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: problem with admin-user
Philippe Trolliet wrote: now i need to specify an admin user for every single domain because of the @domain.com. in FC4 everything worked fine with the single admin account cyrus without a realm. My comments may be completely irrelevant for you, because I don't use saslauthd, pam, mysql, virtdomains, or (shudder) Fedora Core, but are you sure you need the extra complexity? For example, I host mail for many different domains, but manage them under a single (portable) realm, with a single admin user. Users have no knowledge of the realm, and it isn't required for logins (which means I have the extra burden of keeping all logins unique). I just need to set the defaultdomain in imapd.conf, and add every user to sasldb2 as a member of that realm (I'm aware you're not using sasldb2, but maybe your realm issue is related). I did this because I prefer bare logins. Although logins with appended realms have a certain logical appeal, I think it would still cause issues with users who don't understand realms. A bare login and password is easier to understand and explain, especially when multiple addresses are aliased to a single account. But I digress. If you're tied to your current system, this won't be of much help to you. Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Superior hiearchical mailbox creation, after the fact
Zoran Kikic wrote: I'm running Imapd 2.3.8+Postfix+SA+Amavis-New and everything works fine without INBOX folders - even my Sieve scripts: if header :contains X-Spam-Flag YES { fileinto INBOX/Spam; } There is NO INBOX but it works. Of course there's an INBOX. In IMAP, INBOX is virtual, and doesn't require a physical directory/mailbox named INBOX on the filesystem. In the case of Cyrus IMAPD, for example, my INBOX is: /var/spool/imap/user/jorey Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Superior hiearchical mailbox creation, after the fact
Ross Boylan wrote: I've created INBOX.a.b, INBOX.a.c, and others. To my suprise, there is no INBOX.a folder. This was discussed previously on this list (2/28/06, similar to this messages subject), and is Cyrus's expected behavior. I've now decided I want a folder INBOX.a, that is something I can move messages into. Is it safe to create such a folder, or will it cause problems, for example wiping out the current folders under INBOX.a? Yes, it's safe. The directory is there, it's just not a mailbox. The easiest way to fix this is to create it as a mailbox. So, reproducing your steps, it would look like this: localhost cm user.ross.a.b localhost cm user.ross.a.c localhost cm user.ross.a.d localhost cm user.ross.a This is actually one of the steps I had to do when migrating from an mbox-based system, as none of the migration tools had an option to turn parent folders into mailboxes. Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Connection throttling POP3.
David S. Madole wrote: From Matthew Schumacher on Monday, May 21, 2007 6:35 PM The first iptables suggestion blocked the offending IP, which is fine, but also requires me to babysit the server. The second suggestion would correctly limit connections, but if I'm reading it right, would lump all connections together, not just connections per originating IP address. If you are talking about the suggestion I made, which looked like this: iptables -A INPUT -p tcp --dport 22 \ -m state --state NEW \ -m recent --update --seconds 60 -j DROP iptables -A INPUT -p tcp --dport 22 \ -m state --state NEW \ -m recent --set -j ACCEPT then you did not read it right. It limits to one connection per IP address per minute. Each source address is kept track of in enforcing the limit. Using the --hitcount option in addition to the --seconds option, you can also create limits such as a maximum of four connections in two minutes, etc. I also use this for blocking brute force SSH attacks, and can't understand why anyone would choose a log parsing script instead. It stops them dead in their tracks (even with a much lower time limit). It would be interesting if it could also be applied to POP3. Your logs indicate that a much lower time limit would suffice (not sure why your second line is -1 seconds after the first, though). Even if the protocol allows it, I'm willing to bet you'll find some brain-dead mail client that has problems, though. Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: permission problem on lmtp socket
JOYDEEP wrote: I havemailbox_transport = lmtp:unix:/var/lib/imap/socket/lmtp in main.cf I have lmtpunix cmd=lmtpd listen=/var/lib/imap/socket/lmtp prefork=1 in cyrus.conf now when ever I try to sent mail from [EMAIL PROTECTED] to [EMAIL PROTECTED] it reports error --- Apr 27 11:31:25 lvps87-230-8-228 postfix/lmtp[3433]: 2BF37BFE10C: to=[EMAIL PROTECTED], relay=none, delay=2822, status=deferred (connect to /var/lib/imap/socket/lmtp[/var/lib/imap/socket/lmtp]: Permission denied) -- The error is coming from postfix. I have checked the permission and it is own by cyrus mail I have also checked the parent path starting from /var/lib/imap and it alongwith the underlying structures are owned by cyrus:mail Run this command: groups postfix You should see this output: postfix : postfix mail If not, you must add postfix to the mail group. more over lmtptest command reports -- getaddrinfo: Servname not supported for ai_socktype failure: Network initialization - can not connect to localhost:lmtp I am using suse 9.2. How can I solve it ? please help lmtptest seems to work only with a TCP port, and you're using a socket. Don't waste time here. Fix your other error, and you should be fine. Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Sieve vacation message corrupting database?
E.H.Eefting wrote: The sieve script: require vacation; vacation phatte test; vacation :addresses [EMAIL PROTECTED] phatte test; We've been using cyrus-imap for years on many server in a similar setup and never had anyproblems. However, this is the first time we start using sieve. I dont need help with restoring the database, i just want to find how what causes the corruption and if any other people are using vacation messages with succes. I can only answer your last question, being new to sieve myself. Here is the script I use without any problems: require vacation; vacation :addresses [ [EMAIL PROTECTED], [EMAIL PROTECTED] ] text: Sorry, I am away. I will attend to your request upon my return. . ; I can't explain any of it to you, but it's quite different than your example (note the closing punctuation of the text). There are probably legal variations, but this works, so give it a try. Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: cyradm can't lolgin with --port 993
JOYDEEP wrote: when I had imap ; cyradm didn't have any problem to login. But after changing it to imaps cyradm can't login. the command I use is cyradm --port 993 -u cyrus localhost. the log says it as .. imaps TLS negotiation failed though I can succseful;ly use KMail and thunderbird with imaps at port 993. any fix is there ? If cyrus is configured for STARTTLS on port 143, use: cyradm host.dom -tls I believe this feature was added in version 2.3. Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Bare newlines problem
Paul van der Vlis wrote: It's a big message with foto's, 3.5 MB. I am not sure this warning is correct. I hope somebody can tell me how I can remove the bare newline(s) in the message. I've had to deal with this issue when moving such a message between accounts, in my case from a UW-IMAP server using mbx to a Cyrus 2.3 server. While forwarding the message usually works, it's inelegant. Oddly, I've found that simply copying it to temporary folder on the UW-IMAP server before copying it to Cyrus is often all that's needed for the operation to be successful. YMMV. Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: how to enable TLs encryption only ?
JOYDEEP wrote: thanks a lot for so in depth discussion. I have already enabled SSL encryption :-) as I have come to know from some documentation that the STARTTLS is stillnot very standard and the client side support for it is not become standard too. Actually, it's very standardized and widely supported by nearly all new versions of client software. You only need to consider alternatives for existing legacy clients and perhaps newer buggy ones. and now I am going for the secured authentication. I may be permitted to give here the main.cf so that you can suggest the necessary tweaking I need. For the most part, this looks good. - configdirectory: /var/lib/imap partition-default: /var/spool/imap sievedir: /var/lib/sieve admins: cyrus allowplaintext: yes This is fine, as long as you've considered the risk and educated your users to use the most secure approach available. It's quite trivial to decode LOGIN authentication, if it can be sniffed on the wire. sasl_mech_list: LOGIN PLAIN Consider supporting CRAM-MD5 and DIGEST-MD5 (see below). allowanonymouslogin: no autocreatequota: 1 reject8bit: no quotawarn: 90 timeout: 30 poptimeout: 10 dracinterval: 0 drachost: localhost Are you actually using drac? It's hard to make a case for POP-before-SMTP, these days. I'd disable it in favor of per-user authentication. sasl_pwcheck_method: saslauthd Consider switching to auxprop so you can support CRAM-MD5 and DIGEST-MD5. Administering sasldb2 is no harder than maintaining local system users, but I feel it narrows the risk. There are two sides to this argument, so do some research before you make your decision. #auxprop saslauthd #sasl_auxprop_plugin: sasldb2 servername:linux.kolkatainfoservices.in lmtp_overquota_perm_failure: no lmtp_downcase_rcpt: yes # # if you want TLS, you have to generate certificates and keys # tls_cert_file: /etc/openldap/myca/servercert.pem tls_key_file: /etc/openldap/myca/serverkey.pem tls_ca_file: /etc/openldap/myca/cacert.pem tls_ca_path: /etc/openldap/myca/ tls_require_cert: no tlscache_db: berkeley unixhierarchysep: yes Do you need to support dots in usernames or mailboxes? This is purely a matter of choice, but not all systems support usernames with dots, so it may affect future migrations to other IMAP servers. I prefer to have logins without dots, but allow dots in the local part of aliases. Of course, if you have existing accounts that already contain dots, you'll probably need this for migration. virtdomains: yes defaultdomain: kolkatainfoservices.in loginrealms: kolkatainfoservices.in hashimapspool: true lmtpsocket: /var/lib/imap/socket/lmtp Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: More success with TLS; problem with STARTTLS
JOYDEEP wrote: OK, Arnaud now it is clear to me SSL includes STARTTLS. No, it just negates the need for it. Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: More success with TLS; problem with STARTTLS
JOYDEEP wrote: imtest -a aftab -m LOGIN linux.kolkatainfoservices.in -p 993 -s -t You want to test STARTTLS on the default IMAP port: imtest -a aftab -m LOGIN -t linux.kolkatainfoservices.in Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: TLS running :-) problem with certificate
JOYDEEP wrote: C: S01 STARTTLS S: S01 OK Begin TLS negotiation now verify error:num=19:self signed certificate in certificate chain verify error:num=24:invalid CA certificate verify error:num=26:unsupported certificate purpose TLS connection established: TLSv1 with cipher AES256-SHA (256/256 bits) [snip] Security strength factor: 256 But from the above you can see the problem with self signed certificate. So how can I still work with self signed CA ? It does work. Don't let the feedback alarm you. If this is unacceptable for your users, you will need to purchase and install a widely accepted commercial certificate (you can get some satisfactory ones for less than $50 these days). Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: how to enable TLs encryption only ?
Olaf Fraczyk wrote: On Fri, 2007-03-30 at 16:19 +0530, JOYDEEP wrote: I am a bit confused here. may be I am wrong but imaps is running at port 993 with SSL where imap with TLs is running at port 143. I need the imap + TLS. I don't have any imaps entry in my imapd.conf. So could you all be a little bore verbose :-) thanks for the help so far. I mean that if you want to force encryption on users you need to use imaps. It's not quite that simple. The documentation is less than clear on this, but the behaviour of the daemon is affected by various settings. For example, (on recent versions of Cyrus IMAP, at least) by enabling TLS: tls_key_file: /path/to/key.pem tls_cert_file: /path/to/cert.pem and setting these values: sasl_pwcheck_method: auxprop sasl_mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5 allowplaintext: 0 sasl_minimum_layer: 0 Cyrus IMAP will perform some basic integrity checks appropriate to the mechanism used: PLAIN is denied without negotiating STARTTLS first LOGIN is denied without negotiating STARTTLS first CRAM-MD5 is allowed without negotiating STARTTLS DIGEST-MD5 is allowed without negotiating STARTTLS By enabling plaintext: allowplaintext: 1 It is now possible to use LOGIN without STARTTLS, but (on my system) PLAIN still requires STARTTLS. By adjusting sasl_minimum_layer, it is also possible to require encryption for the other mechanisms. So, yes, it is possible to enforce a variety of security levels on port 143. Getting this to match your local policy requires some tweaking. You may only care that authentication is encrypted, but not the message transfer. In that case, it's only necessary to enforce TLS for PLAIN and LOGIN. imtest is indispensible for testing your configuration. You can run it through its paces by specifying different mechanisms: imtest -u bob -a bob -m PLAIN mail.example.com and adding TLS negotiation: imtest -u bob -a bob -m PLAIN -t mail.example.com The output is verbose and will help you to understand how your server is configured. Remember to logout with: . logout If you have imap + TLS it is up to the client to decide if it wants to upgrade the clear text connection to TLS. Disabling imap disallows connection of clients and sending clear text passwords on the wire :) You may consider (not technically 100% accurate): imaps=imap+TLS_always_on. Well, this is only true if you've configured imapd to run in SSL wrapper mode with the -s flag (not the same as STARTTLS): imaps cmd=imapd -s listen=imaps prefork=0 You can do that on any port, even 143 (not recommended). It's still a good idea to configure imaps (on port 993), since client support for STARTTLS is still relatively recent. There are a lot of legacy clients that can't negotiate STARTTLS, but can handle imaps (SSL) just fine. Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: POP3 working, IMAP is not
patrick wrote: Actually, Thunderbird was showing all of the messages. I didn't see the latest messages because its sort arrows are upside down (!). It would seem that this must be an IMP problem, so I'll start looking there. quota. If I connect via POP3 I do, however, see all of the messages there. I tried connecting via IMAP from a desktop client (Thunderbird), and it is showing me *most* of the messages, though not any from today. I've scoured the logs, but don't see any errors. Keep in mind that troubleshooting the same account with both POP3 and IMAP can have disastrous results, since POP3 will delete the messages from the server by default. This is a common issue dealt with by administrators whose users are experimenting with or switching to new email clients or workstations. Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Autocreateinboxfolders not being autocreated
Jonathan Villa wrote: Actually, I'm not sure if the Centos4 RPMS come with the autocreate patch. I assume they don't. I'm actually thinking of building this from source as I've done with most of my other installs anyway. I'll use the examples you've provided as well. What's been tough for me is that on another Centos install, I haven't had any issue. Looking into autocreateinboxfolders is a workaround for me because I keep getting permission denied errors with squirrelmail and outlook doesn't create those folders either. For some reason, on my other configurations, I haven't had this issue. so, off to build from source and see what happens then. I'm confused by your description. In what way does SquirrelMail interact with Cyrus IMAP that would result in permission denied errors? If you have a valid user that authenticates, and your prefix is set up properly, SquirrelMail should be able to create the necessary folders. Look for differences in SquirrelMail's config.php file on your working Centos setup. Using autocreate with Cyrus seems a red herring here. It's anybody's guess what's wrong with Outlook. I *always* test/troubleshoot that beast last. Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Username different from mailbox
Patrick Kranz wrote: Now I have a customer, who needs the scenario that the usernames for Cyrus differ from the mailbox and mailaddress respectivly. For example [EMAIL PROTECTED] should be able to login with the username someOtherUsername. This need arises from an integration with other software-packages. Is there any possibility to make this work? Yes, this is no different from any other alias or virtual setup that offers multiple addresses to individual users. You would handle this in the MTA. For example, I use virtual_alias_maps with Postfix, and map all addresses to the corresponding cyrus IMAP user: [EMAIL PROTECTED] admin [EMAIL PROTECTED] admin [EMAIL PROTECTED] admin [EMAIL PROTECTED] bob [EMAIL PROTECTED] bob You can also use the aliases file and other approaches. Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Convert tool
Fabio Silva wrote: Hi all, is there any tool to migrate from mbox format to cyrus-imap ??? could you tell me any tool to do it??? im using sles10, and i need to migrate my user to our new cyrus server I used imapsync: http://www.linux-france.org/prj/imapsync/ The only serious issue I had was that it did not convert containing directories into proper cyrus mailboxes. All of the mbox files were properly converted, though. Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: A script for fixing bare newlines in mailbox files?
Joseph Brennan wrote: When moving from U Wash to Cyrus we applied this rewrite to all mailboxes. Get rid of any nulls while you're at it. while() { # The \000 character (NUL) is not allowed if ($line =~ s/\000//g) { print STDERR WARNING: Removing NUL\n; } # Change CRLF or bare CR to LF $endcr = $midcr = 0; $endcr++ if ($line =~ s/\015$//g); # \n already there $midcr++ if ($line =~ s/\015/\n/g); # add \n if ($endcr || $midcr) { print STDERR WARNING: Correcting CR characters\n; } print; } Did any users report any further corruption of what is arguably already a corrupted message? I'm not familiar with the cause of this problem, but having encountered it before, mainly with messages that have large attachments, I'm wondering if attached files might be unusable after such a scrubbing (assuming they were not encoded properly). Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: timeouts when connecting to imap server
Timo Veith wrote: Does a service name in /etc/cyrus.conf must be unique? Yes, it isn't really a service name (i.e. from /etc/services), but a unique identifier. This allows you to assign names for multiple configurations of the same network service, so you can manipulate them separately in imapd.conf. I'm sorry I didn't see that in your original post. You need to fix this for all of the services you've duplicated. In practice, this allows you to preface certain configuration directives with the unique service name. For example, you might set a global TLS key that all services will use by default: tls_key_file: /etc/ssl/imapd.key But you might also have a uniquely named imapd that uses a different key: imapdlo_tls_key_file: /etc/ssl/imapdlo.key In cyrus.conf, this alternate imapd might coexist with your regular imapd like this: imap cmd=imapd listen=192.168.1.4:imap prefork=0 imapdlo cmd=imapd listen=127.0.0.1:imap prefork=0 Note that the listen parameter uses the actual service name defined in /etc/services. Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html